This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Agust
Contributor
‎2025-02-26 05:57 AM

2 VPN tunnels with 2 different IP address

Hi guys.

We have a question regarding the creation of a second tunnel and the link selection configuration.
We wanted to configure one of the external interfaces of the firewall that has another public IP to set up another VPN tunnel against a site.
We saw the following technical note

sk180613

We currently have all the tunnels based on domain based encryption policies against the IP defined in the firewall by link selection, would this change imply a change or type of outage in the tunnels currently set up against that IP?
We welcome your comments.
Thank you

 

Labels
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2025-02-26 09:30 AM

What is the actual Link Selection configuration currently?
I suspect for this to work, you'll need to do it based on the routing table.

R82 has much better Link Selection settings (can be set per VPN community).

0 Kudos
Agust
Contributor
‎2025-02-26 11:24 AM
In response to PhoneBoy

Hi Phoneboy!
Currently the link selection in the firewall is configured as follows:
Always use this IP address --> Selected address from topology table --> IP address
The IP address that we currently want to use would be a different public IP than the one that is currently configured in this way. We currently have R81.20 installed on the firewalls that are VS from SGM master.
Thank you for your comments.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-26 12:23 PM
In response to Agust

You'd have to change to "Calculate IP Based on Network Topology" and also set the Outgoing Route Selection accordingly.
Like I said, you can set different Link Selection per community in R82.

0 Kudos
the_rock
Legend
Legend
‎2025-02-26 07:05 PM
In response to Agust

I will double check this in my lab (R82 one as well), but I believe link selection probing method would also work here.

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-02-26 11:43 AM

I would only perform this type of changes in a small maintenance window. 

You might also need to change this:

https://support.checkpoint.com/results/sk/sk160672

During window make sure new VPN tunnel works, but also old tunnels! Consider even to reset them with vpn tu during window to make sure that re-key part is

This type of config is a bit trial / error so better do it in a window

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Agust
Contributor
3 weeks ago
In response to CheckPointerXL

Hello Checkpointer.
Thanks for sharing your lab, it looks very interesting for our purpose.
You used the Calculate IP Based on Network Topology configuration and then the Operating system routing table, using the VPN by policies without problems, correct?
Thank you very much for the info.
Regards

 

0 Kudos
CheckPointerXL
Advisor
Advisor
3 weeks ago
In response to Agust

yes, that's correct

please test on maintnance window

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top